resources.proto 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609
  1. // Copyright 2021 Google LLC
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. syntax = "proto3";
  15. package google.cloud.kms.v1;
  16. import "google/api/field_behavior.proto";
  17. import "google/api/resource.proto";
  18. import "google/protobuf/duration.proto";
  19. import "google/protobuf/timestamp.proto";
  20. import "google/protobuf/wrappers.proto";
  21. import "google/api/annotations.proto";
  22. option cc_enable_arenas = true;
  23. option csharp_namespace = "Google.Cloud.Kms.V1";
  24. option go_package = "google.golang.org/genproto/googleapis/cloud/kms/v1;kms";
  25. option java_multiple_files = true;
  26. option java_outer_classname = "KmsResourcesProto";
  27. option java_package = "com.google.cloud.kms.v1";
  28. option php_namespace = "Google\\Cloud\\Kms\\V1";
  29. // A [KeyRing][google.cloud.kms.v1.KeyRing] is a toplevel logical grouping of [CryptoKeys][google.cloud.kms.v1.CryptoKey].
  30. message KeyRing {
  31. option (google.api.resource) = {
  32. type: "cloudkms.googleapis.com/KeyRing"
  33. pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}"
  34. };
  35. // Output only. The resource name for the [KeyRing][google.cloud.kms.v1.KeyRing] in the format
  36. // `projects/*/locations/*/keyRings/*`.
  37. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  38. // Output only. The time at which this [KeyRing][google.cloud.kms.v1.KeyRing] was created.
  39. google.protobuf.Timestamp create_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  40. }
  41. // A [CryptoKey][google.cloud.kms.v1.CryptoKey] represents a logical key that can be used for cryptographic
  42. // operations.
  43. //
  44. // A [CryptoKey][google.cloud.kms.v1.CryptoKey] is made up of zero or more [versions][google.cloud.kms.v1.CryptoKeyVersion],
  45. // which represent the actual key material used in cryptographic operations.
  46. message CryptoKey {
  47. option (google.api.resource) = {
  48. type: "cloudkms.googleapis.com/CryptoKey"
  49. pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}"
  50. };
  51. // [CryptoKeyPurpose][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose] describes the cryptographic capabilities of a
  52. // [CryptoKey][google.cloud.kms.v1.CryptoKey]. A given key can only be used for the operations allowed by
  53. // its purpose. For more information, see
  54. // [Key purposes](https://cloud.google.com/kms/docs/algorithms#key_purposes).
  55. enum CryptoKeyPurpose {
  56. // Not specified.
  57. CRYPTO_KEY_PURPOSE_UNSPECIFIED = 0;
  58. // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
  59. // [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] and
  60. // [Decrypt][google.cloud.kms.v1.KeyManagementService.Decrypt].
  61. ENCRYPT_DECRYPT = 1;
  62. // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
  63. // [AsymmetricSign][google.cloud.kms.v1.KeyManagementService.AsymmetricSign] and
  64. // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  65. ASYMMETRIC_SIGN = 5;
  66. // [CryptoKeys][google.cloud.kms.v1.CryptoKey] with this purpose may be used with
  67. // [AsymmetricDecrypt][google.cloud.kms.v1.KeyManagementService.AsymmetricDecrypt] and
  68. // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  69. ASYMMETRIC_DECRYPT = 6;
  70. }
  71. // Output only. The resource name for this [CryptoKey][google.cloud.kms.v1.CryptoKey] in the format
  72. // `projects/*/locations/*/keyRings/*/cryptoKeys/*`.
  73. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  74. // Output only. A copy of the "primary" [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that will be used
  75. // by [Encrypt][google.cloud.kms.v1.KeyManagementService.Encrypt] when this [CryptoKey][google.cloud.kms.v1.CryptoKey] is given
  76. // in [EncryptRequest.name][google.cloud.kms.v1.EncryptRequest.name].
  77. //
  78. // The [CryptoKey][google.cloud.kms.v1.CryptoKey]'s primary version can be updated via
  79. // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion].
  80. //
  81. // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
  82. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] may have a
  83. // primary. For other keys, this field will be omitted.
  84. CryptoKeyVersion primary = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
  85. // Immutable. The immutable purpose of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
  86. CryptoKeyPurpose purpose = 3 [(google.api.field_behavior) = IMMUTABLE];
  87. // Output only. The time at which this [CryptoKey][google.cloud.kms.v1.CryptoKey] was created.
  88. google.protobuf.Timestamp create_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  89. // At [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time], the Key Management Service will automatically:
  90. //
  91. // 1. Create a new version of this [CryptoKey][google.cloud.kms.v1.CryptoKey].
  92. // 2. Mark the new version as primary.
  93. //
  94. // Key rotations performed manually via
  95. // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] and
  96. // [UpdateCryptoKeyPrimaryVersion][google.cloud.kms.v1.KeyManagementService.UpdateCryptoKeyPrimaryVersion]
  97. // do not affect [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time].
  98. //
  99. // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
  100. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support
  101. // automatic rotation. For other keys, this field must be omitted.
  102. google.protobuf.Timestamp next_rotation_time = 7;
  103. // Controls the rate of automatic rotation.
  104. oneof rotation_schedule {
  105. // [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] will be advanced by this period when the service
  106. // automatically rotates a key. Must be at least 24 hours and at most
  107. // 876,000 hours.
  108. //
  109. // If [rotation_period][google.cloud.kms.v1.CryptoKey.rotation_period] is set, [next_rotation_time][google.cloud.kms.v1.CryptoKey.next_rotation_time] must also be set.
  110. //
  111. // Keys with [purpose][google.cloud.kms.v1.CryptoKey.purpose]
  112. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT] support
  113. // automatic rotation. For other keys, this field must be omitted.
  114. google.protobuf.Duration rotation_period = 8;
  115. }
  116. // A template describing settings for new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances.
  117. // The properties of new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] instances created by either
  118. // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
  119. // auto-rotation are controlled by this template.
  120. CryptoKeyVersionTemplate version_template = 11;
  121. // Labels with user-defined metadata. For more information, see
  122. // [Labeling Keys](https://cloud.google.com/kms/docs/labeling-keys).
  123. map<string, string> labels = 10;
  124. }
  125. // A [CryptoKeyVersionTemplate][google.cloud.kms.v1.CryptoKeyVersionTemplate] specifies the properties to use when creating
  126. // a new [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], either manually with
  127. // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion] or
  128. // automatically as a result of auto-rotation.
  129. message CryptoKeyVersionTemplate {
  130. // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] to use when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on
  131. // this template. Immutable. Defaults to [SOFTWARE][google.cloud.kms.v1.ProtectionLevel.SOFTWARE].
  132. ProtectionLevel protection_level = 1;
  133. // Required. [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] to use
  134. // when creating a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] based on this template.
  135. //
  136. // For backwards compatibility, GOOGLE_SYMMETRIC_ENCRYPTION is implied if both
  137. // this field is omitted and [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose] is
  138. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  139. CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 3 [(google.api.field_behavior) = REQUIRED];
  140. }
  141. // Contains an HSM-generated attestation about a key operation. For more
  142. // information, see [Verifying attestations]
  143. // (https://cloud.google.com/kms/docs/attest-key).
  144. message KeyOperationAttestation {
  145. // Attestation formats provided by the HSM.
  146. enum AttestationFormat {
  147. // Not specified.
  148. ATTESTATION_FORMAT_UNSPECIFIED = 0;
  149. // Cavium HSM attestation compressed with gzip. Note that this format is
  150. // defined by Cavium and subject to change at any time.
  151. CAVIUM_V1_COMPRESSED = 3;
  152. // Cavium HSM attestation V2 compressed with gzip. This is a new format
  153. // introduced in Cavium's version 3.2-08.
  154. CAVIUM_V2_COMPRESSED = 4;
  155. }
  156. // Output only. The format of the attestation data.
  157. AttestationFormat format = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  158. // Output only. The attestation data provided by the HSM when the key
  159. // operation was performed.
  160. bytes content = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  161. }
  162. // A [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents an individual cryptographic key, and the
  163. // associated key material.
  164. //
  165. // An [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] version can be
  166. // used for cryptographic operations.
  167. //
  168. // For security reasons, the raw cryptographic key material represented by a
  169. // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] can never be viewed or exported. It can only be used to
  170. // encrypt, decrypt, or sign data when an authorized user or application invokes
  171. // Cloud KMS.
  172. message CryptoKeyVersion {
  173. option (google.api.resource) = {
  174. type: "cloudkms.googleapis.com/CryptoKeyVersion"
  175. pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}"
  176. };
  177. // The algorithm of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating what
  178. // parameters must be used for each cryptographic operation.
  179. //
  180. // The
  181. // [GOOGLE_SYMMETRIC_ENCRYPTION][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.GOOGLE_SYMMETRIC_ENCRYPTION]
  182. // algorithm is usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  183. // [ENCRYPT_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT].
  184. //
  185. // Algorithms beginning with "RSA_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  186. // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
  187. //
  188. // The fields in the name after "RSA_SIGN_" correspond to the following
  189. // parameters: padding algorithm, modulus bit length, and digest algorithm.
  190. //
  191. // For PSS, the salt length used is equal to the length of digest
  192. // algorithm. For example,
  193. // [RSA_SIGN_PSS_2048_SHA256][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm.RSA_SIGN_PSS_2048_SHA256]
  194. // will use PSS with a salt length of 256 bits or 32 bytes.
  195. //
  196. // Algorithms beginning with "RSA_DECRYPT_" are usable with
  197. // [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  198. // [ASYMMETRIC_DECRYPT][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_DECRYPT].
  199. //
  200. // The fields in the name after "RSA_DECRYPT_" correspond to the following
  201. // parameters: padding algorithm, modulus bit length, and digest algorithm.
  202. //
  203. // Algorithms beginning with "EC_SIGN_" are usable with [CryptoKey.purpose][google.cloud.kms.v1.CryptoKey.purpose]
  204. // [ASYMMETRIC_SIGN][google.cloud.kms.v1.CryptoKey.CryptoKeyPurpose.ASYMMETRIC_SIGN].
  205. //
  206. // The fields in the name after "EC_SIGN_" correspond to the following
  207. // parameters: elliptic curve, digest algorithm.
  208. //
  209. // For more information, see [Key purposes and algorithms]
  210. // (https://cloud.google.com/kms/docs/algorithms).
  211. enum CryptoKeyVersionAlgorithm {
  212. // Not specified.
  213. CRYPTO_KEY_VERSION_ALGORITHM_UNSPECIFIED = 0;
  214. // Creates symmetric encryption keys.
  215. GOOGLE_SYMMETRIC_ENCRYPTION = 1;
  216. // RSASSA-PSS 2048 bit key with a SHA256 digest.
  217. RSA_SIGN_PSS_2048_SHA256 = 2;
  218. // RSASSA-PSS 3072 bit key with a SHA256 digest.
  219. RSA_SIGN_PSS_3072_SHA256 = 3;
  220. // RSASSA-PSS 4096 bit key with a SHA256 digest.
  221. RSA_SIGN_PSS_4096_SHA256 = 4;
  222. // RSASSA-PSS 4096 bit key with a SHA512 digest.
  223. RSA_SIGN_PSS_4096_SHA512 = 15;
  224. // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
  225. RSA_SIGN_PKCS1_2048_SHA256 = 5;
  226. // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
  227. RSA_SIGN_PKCS1_3072_SHA256 = 6;
  228. // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
  229. RSA_SIGN_PKCS1_4096_SHA256 = 7;
  230. // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
  231. RSA_SIGN_PKCS1_4096_SHA512 = 16;
  232. // RSAES-OAEP 2048 bit key with a SHA256 digest.
  233. RSA_DECRYPT_OAEP_2048_SHA256 = 8;
  234. // RSAES-OAEP 3072 bit key with a SHA256 digest.
  235. RSA_DECRYPT_OAEP_3072_SHA256 = 9;
  236. // RSAES-OAEP 4096 bit key with a SHA256 digest.
  237. RSA_DECRYPT_OAEP_4096_SHA256 = 10;
  238. // RSAES-OAEP 4096 bit key with a SHA512 digest.
  239. RSA_DECRYPT_OAEP_4096_SHA512 = 17;
  240. // ECDSA on the NIST P-256 curve with a SHA256 digest.
  241. EC_SIGN_P256_SHA256 = 12;
  242. // ECDSA on the NIST P-384 curve with a SHA384 digest.
  243. EC_SIGN_P384_SHA384 = 13;
  244. // ECDSA on the non-NIST secp256k1 curve. This curve is only supported for
  245. // HSM protection level.
  246. EC_SIGN_SECP256K1_SHA256 = 31;
  247. // Algorithm representing symmetric encryption by an external key manager.
  248. EXTERNAL_SYMMETRIC_ENCRYPTION = 18;
  249. }
  250. // The state of a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], indicating if it can be used.
  251. enum CryptoKeyVersionState {
  252. // Not specified.
  253. CRYPTO_KEY_VERSION_STATE_UNSPECIFIED = 0;
  254. // This version is still being generated. It may not be used, enabled,
  255. // disabled, or destroyed yet. Cloud KMS will automatically mark this
  256. // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
  257. PENDING_GENERATION = 5;
  258. // This version may be used for cryptographic operations.
  259. ENABLED = 1;
  260. // This version may not be used, but the key material is still available,
  261. // and the version can be placed back into the [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] state.
  262. DISABLED = 2;
  263. // This version is destroyed, and the key material is no longer stored.
  264. // A version may not leave this state once entered.
  265. DESTROYED = 3;
  266. // This version is scheduled for destruction, and will be destroyed soon.
  267. // Call
  268. // [RestoreCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.RestoreCryptoKeyVersion]
  269. // to put it back into the [DISABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DISABLED] state.
  270. DESTROY_SCHEDULED = 4;
  271. // This version is still being imported. It may not be used, enabled,
  272. // disabled, or destroyed yet. Cloud KMS will automatically mark this
  273. // version [ENABLED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.ENABLED] as soon as the version is ready.
  274. PENDING_IMPORT = 6;
  275. // This version was not imported successfully. It may not be used, enabled,
  276. // disabled, or destroyed. The submitted key material has been discarded.
  277. // Additional details can be found in
  278. // [CryptoKeyVersion.import_failure_reason][google.cloud.kms.v1.CryptoKeyVersion.import_failure_reason].
  279. IMPORT_FAILED = 7;
  280. }
  281. // A view for [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]s. Controls the level of detail returned
  282. // for [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] in
  283. // [KeyManagementService.ListCryptoKeyVersions][google.cloud.kms.v1.KeyManagementService.ListCryptoKeyVersions] and
  284. // [KeyManagementService.ListCryptoKeys][google.cloud.kms.v1.KeyManagementService.ListCryptoKeys].
  285. enum CryptoKeyVersionView {
  286. // Default view for each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Does not include
  287. // the [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation] field.
  288. CRYPTO_KEY_VERSION_VIEW_UNSPECIFIED = 0;
  289. // Provides all fields in each [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion], including the
  290. // [attestation][google.cloud.kms.v1.CryptoKeyVersion.attestation].
  291. FULL = 1;
  292. }
  293. // Output only. The resource name for this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in the format
  294. // `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
  295. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  296. // The current state of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  297. CryptoKeyVersionState state = 3;
  298. // Output only. The [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] describing how crypto operations are
  299. // performed with this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion].
  300. ProtectionLevel protection_level = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  301. // Output only. The [CryptoKeyVersionAlgorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] that this
  302. // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] supports.
  303. CryptoKeyVersionAlgorithm algorithm = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  304. // Output only. Statement that was generated and signed by the HSM at key
  305. // creation time. Use this statement to verify attributes of the key as stored
  306. // on the HSM, independently of Google. Only provided for key versions with
  307. // [protection_level][google.cloud.kms.v1.CryptoKeyVersion.protection_level] [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
  308. KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  309. // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] was created.
  310. google.protobuf.Timestamp create_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  311. // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material was
  312. // generated.
  313. google.protobuf.Timestamp generate_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
  314. // Output only. The time this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material is scheduled
  315. // for destruction. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
  316. // [DESTROY_SCHEDULED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROY_SCHEDULED].
  317. google.protobuf.Timestamp destroy_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  318. // Output only. The time this CryptoKeyVersion's key material was
  319. // destroyed. Only present if [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
  320. // [DESTROYED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.DESTROYED].
  321. google.protobuf.Timestamp destroy_event_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  322. // Output only. The name of the [ImportJob][google.cloud.kms.v1.ImportJob] used to import this
  323. // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Only present if the underlying key material was
  324. // imported.
  325. string import_job = 14 [(google.api.field_behavior) = OUTPUT_ONLY];
  326. // Output only. The time at which this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]'s key material
  327. // was imported.
  328. google.protobuf.Timestamp import_time = 15 [(google.api.field_behavior) = OUTPUT_ONLY];
  329. // Output only. The root cause of an import failure. Only present if
  330. // [state][google.cloud.kms.v1.CryptoKeyVersion.state] is
  331. // [IMPORT_FAILED][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionState.IMPORT_FAILED].
  332. string import_failure_reason = 16 [(google.api.field_behavior) = OUTPUT_ONLY];
  333. // ExternalProtectionLevelOptions stores a group of additional fields for
  334. // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the
  335. // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level.
  336. ExternalProtectionLevelOptions external_protection_level_options = 17;
  337. }
  338. // The public key for a given [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion]. Obtained via
  339. // [GetPublicKey][google.cloud.kms.v1.KeyManagementService.GetPublicKey].
  340. message PublicKey {
  341. option (google.api.resource) = {
  342. type: "cloudkms.googleapis.com/PublicKey"
  343. pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}/publicKey"
  344. };
  345. // The public key, encoded in PEM format. For more information, see the
  346. // [RFC 7468](https://tools.ietf.org/html/rfc7468) sections for
  347. // [General Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
  348. // [Textual Encoding of Subject Public Key Info]
  349. // (https://tools.ietf.org/html/rfc7468#section-13).
  350. string pem = 1;
  351. // The [Algorithm][google.cloud.kms.v1.CryptoKeyVersion.CryptoKeyVersionAlgorithm] associated
  352. // with this key.
  353. CryptoKeyVersion.CryptoKeyVersionAlgorithm algorithm = 2;
  354. // Integrity verification field. A CRC32C checksum of the returned
  355. // [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem]. An integrity check of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] can be performed
  356. // by computing the CRC32C checksum of [PublicKey.pem][google.cloud.kms.v1.PublicKey.pem] and
  357. // comparing your results to this field. Discard the response in case of
  358. // non-matching checksum values, and perform a limited number of retries. A
  359. // persistent mismatch may indicate an issue in your computation of the CRC32C
  360. // checksum.
  361. // Note: This field is defined as int64 for reasons of compatibility across
  362. // different languages. However, it is a non-negative integer, which will
  363. // never exceed 2^32-1, and can be safely downconverted to uint32 in languages
  364. // that support this type.
  365. //
  366. // NOTE: This field is in Beta.
  367. google.protobuf.Int64Value pem_crc32c = 3;
  368. // The [name][google.cloud.kms.v1.CryptoKeyVersion.name] of the [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] public key.
  369. // Provided here for verification.
  370. //
  371. // NOTE: This field is in Beta.
  372. string name = 4;
  373. }
  374. // An [ImportJob][google.cloud.kms.v1.ImportJob] can be used to create [CryptoKeys][google.cloud.kms.v1.CryptoKey] and
  375. // [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] using pre-existing key material,
  376. // generated outside of Cloud KMS.
  377. //
  378. // When an [ImportJob][google.cloud.kms.v1.ImportJob] is created, Cloud KMS will generate a "wrapping key",
  379. // which is a public/private key pair. You use the wrapping key to encrypt (also
  380. // known as wrap) the pre-existing key material to protect it during the import
  381. // process. The nature of the wrapping key depends on the choice of
  382. // [import_method][google.cloud.kms.v1.ImportJob.import_method]. When the wrapping key generation
  383. // is complete, the [state][google.cloud.kms.v1.ImportJob.state] will be set to
  384. // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] and the [public_key][google.cloud.kms.v1.ImportJob.public_key]
  385. // can be fetched. The fetched public key can then be used to wrap your
  386. // pre-existing key material.
  387. //
  388. // Once the key material is wrapped, it can be imported into a new
  389. // [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] in an existing [CryptoKey][google.cloud.kms.v1.CryptoKey] by calling
  390. // [ImportCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.ImportCryptoKeyVersion].
  391. // Multiple [CryptoKeyVersions][google.cloud.kms.v1.CryptoKeyVersion] can be imported with a single
  392. // [ImportJob][google.cloud.kms.v1.ImportJob]. Cloud KMS uses the private key portion of the wrapping key to
  393. // unwrap the key material. Only Cloud KMS has access to the private key.
  394. //
  395. // An [ImportJob][google.cloud.kms.v1.ImportJob] expires 3 days after it is created. Once expired, Cloud KMS
  396. // will no longer be able to import or unwrap any key material that was wrapped
  397. // with the [ImportJob][google.cloud.kms.v1.ImportJob]'s public key.
  398. //
  399. // For more information, see
  400. // [Importing a key](https://cloud.google.com/kms/docs/importing-a-key).
  401. message ImportJob {
  402. option (google.api.resource) = {
  403. type: "cloudkms.googleapis.com/ImportJob"
  404. pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/importJobs/{import_job}"
  405. };
  406. // The public key component of the wrapping key. For details of the type of
  407. // key this public key corresponds to, see the [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod].
  408. message WrappingPublicKey {
  409. // The public key, encoded in PEM format. For more information, see the [RFC
  410. // 7468](https://tools.ietf.org/html/rfc7468) sections for [General
  411. // Considerations](https://tools.ietf.org/html/rfc7468#section-2) and
  412. // [Textual Encoding of Subject Public Key Info]
  413. // (https://tools.ietf.org/html/rfc7468#section-13).
  414. string pem = 1;
  415. }
  416. // [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] describes the key wrapping method chosen for this
  417. // [ImportJob][google.cloud.kms.v1.ImportJob].
  418. enum ImportMethod {
  419. // Not specified.
  420. IMPORT_METHOD_UNSPECIFIED = 0;
  421. // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
  422. // scheme defined in the PKCS #11 standard. In summary, this involves
  423. // wrapping the raw key with an ephemeral AES key, and wrapping the
  424. // ephemeral AES key with a 3072 bit RSA key. For more details, see
  425. // [RSA AES key wrap
  426. // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
  427. RSA_OAEP_3072_SHA1_AES_256 = 1;
  428. // This ImportMethod represents the CKM_RSA_AES_KEY_WRAP key wrapping
  429. // scheme defined in the PKCS #11 standard. In summary, this involves
  430. // wrapping the raw key with an ephemeral AES key, and wrapping the
  431. // ephemeral AES key with a 4096 bit RSA key. For more details, see
  432. // [RSA AES key wrap
  433. // mechanism](http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cos01/pkcs11-curr-v2.40-cos01.html#_Toc408226908).
  434. RSA_OAEP_4096_SHA1_AES_256 = 2;
  435. }
  436. // The state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can be used.
  437. enum ImportJobState {
  438. // Not specified.
  439. IMPORT_JOB_STATE_UNSPECIFIED = 0;
  440. // The wrapping key for this job is still being generated. It may not be
  441. // used. Cloud KMS will automatically mark this job as
  442. // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE] as soon as the wrapping key is generated.
  443. PENDING_GENERATION = 1;
  444. // This job may be used in
  445. // [CreateCryptoKey][google.cloud.kms.v1.KeyManagementService.CreateCryptoKey] and
  446. // [CreateCryptoKeyVersion][google.cloud.kms.v1.KeyManagementService.CreateCryptoKeyVersion]
  447. // requests.
  448. ACTIVE = 2;
  449. // This job can no longer be used and may not leave this state once entered.
  450. EXPIRED = 3;
  451. }
  452. // Output only. The resource name for this [ImportJob][google.cloud.kms.v1.ImportJob] in the format
  453. // `projects/*/locations/*/keyRings/*/importJobs/*`.
  454. string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
  455. // Required. Immutable. The wrapping method to be used for incoming key material.
  456. ImportMethod import_method = 2 [
  457. (google.api.field_behavior) = REQUIRED,
  458. (google.api.field_behavior) = IMMUTABLE
  459. ];
  460. // Required. Immutable. The protection level of the [ImportJob][google.cloud.kms.v1.ImportJob]. This must match the
  461. // [protection_level][google.cloud.kms.v1.CryptoKeyVersionTemplate.protection_level] of the
  462. // [version_template][google.cloud.kms.v1.CryptoKey.version_template] on the [CryptoKey][google.cloud.kms.v1.CryptoKey] you
  463. // attempt to import into.
  464. ProtectionLevel protection_level = 9 [
  465. (google.api.field_behavior) = REQUIRED,
  466. (google.api.field_behavior) = IMMUTABLE
  467. ];
  468. // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] was created.
  469. google.protobuf.Timestamp create_time = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
  470. // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob]'s key material was generated.
  471. google.protobuf.Timestamp generate_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
  472. // Output only. The time at which this [ImportJob][google.cloud.kms.v1.ImportJob] is scheduled for
  473. // expiration and can no longer be used to import key material.
  474. google.protobuf.Timestamp expire_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
  475. // Output only. The time this [ImportJob][google.cloud.kms.v1.ImportJob] expired. Only present if
  476. // [state][google.cloud.kms.v1.ImportJob.state] is [EXPIRED][google.cloud.kms.v1.ImportJob.ImportJobState.EXPIRED].
  477. google.protobuf.Timestamp expire_event_time = 10 [(google.api.field_behavior) = OUTPUT_ONLY];
  478. // Output only. The current state of the [ImportJob][google.cloud.kms.v1.ImportJob], indicating if it can
  479. // be used.
  480. ImportJobState state = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
  481. // Output only. The public key with which to wrap key material prior to
  482. // import. Only returned if [state][google.cloud.kms.v1.ImportJob.state] is
  483. // [ACTIVE][google.cloud.kms.v1.ImportJob.ImportJobState.ACTIVE].
  484. WrappingPublicKey public_key = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
  485. // Output only. Statement that was generated and signed by the key creator
  486. // (for example, an HSM) at key creation time. Use this statement to verify
  487. // attributes of the key as stored on the HSM, independently of Google.
  488. // Only present if the chosen [ImportMethod][google.cloud.kms.v1.ImportJob.ImportMethod] is one with a protection
  489. // level of [HSM][google.cloud.kms.v1.ProtectionLevel.HSM].
  490. KeyOperationAttestation attestation = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
  491. }
  492. // [ProtectionLevel][google.cloud.kms.v1.ProtectionLevel] specifies how cryptographic operations are performed.
  493. // For more information, see [Protection levels]
  494. // (https://cloud.google.com/kms/docs/algorithms#protection_levels).
  495. enum ProtectionLevel {
  496. // Not specified.
  497. PROTECTION_LEVEL_UNSPECIFIED = 0;
  498. // Crypto operations are performed in software.
  499. SOFTWARE = 1;
  500. // Crypto operations are performed in a Hardware Security Module.
  501. HSM = 2;
  502. // Crypto operations are performed by an external key manager.
  503. EXTERNAL = 3;
  504. }
  505. // ExternalProtectionLevelOptions stores a group of additional fields for
  506. // configuring a [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] that are specific to the
  507. // [EXTERNAL][google.cloud.kms.v1.ProtectionLevel.EXTERNAL] protection level.
  508. message ExternalProtectionLevelOptions {
  509. // The URI for an external resource that this [CryptoKeyVersion][google.cloud.kms.v1.CryptoKeyVersion] represents.
  510. string external_key_uri = 1;
  511. }